Hotels fixing flaw that made room locks vulnerable to hackers

Dec. 14, 2012
|

Hotels fixing flaw that made room locks vulnerable to hackers: The locks on more than 1 million guestroom doors are in various stages of being repaired, following the revelation this summer that they may be vulnerable to hackers. / Brian Harkin for USA TODAY

by Barbara Delollis, USA TODAY

by Barbara Delollis, USA TODAY

The locks on more than 1 million guestroom doors are in various stages of being repaired, following the revelation this summer that they may be vulnerable to hackers.

The New York Marriott Marquis, the biggest hotel in Manhattan, for instance, just completed updating all of its nearly 2,000 door locks. The hotel is one of thousands of properties with guestroom locks manufactured by Onity, a division of United Technologies.

An Onity website also shows Sheraton, Hyatt, Holiday Inn, Fairmont, Radisson and other well-known hotels from Paris to Perth as also having its locks.

The lock scandal began as a hacker exercise. During a technology conference, an attendee revealed that he'd found a security flaw -- a way to electronically unlock a common, electronic hotel-door lock using inconspicuous tools. Other hackers checked out his claim and verified it. Their methods eventually showed up in a series of YouTube videos. (More: One of Forbes' articles about the lock situation.)

What could have been an academic exercise took a criminal turn in September, when Houston police arrested a man suspected of stealing laptops from a Hyatt hotel in the upscale Galleria mall.

Two hotel-room thefts, of laptops and other personal items, have been attributed to a hacker. That's because police found no sign of forced entry and hotel employees were ruled out as suspects in the Sept. 7 and 11, incidents at the Hyatt House Galleria hotel, says Houston Police spokesman John Cannon.

The hacking tool, according to Petra's alert, could be made for about $50 in easy-to-acquire electronic parts.

"Please train and notify your hotel staff that these burglaries are spreading across the country," Petra's alert cautioned hoteliers. "Hotel staff should be vigilant while they are on the guest floors and paying attention to guests walking through hallways. ... Take time to watch guests walking through your hallways to ensure they are going to a room and entering it. Be very suspicious of someone carrying a laptop or small bag wandering the hallways. Greet guests and ask them if they need assistance."

In Florida, Petra loss prevention expert Todd Seiders said he received reports that a hacker had been seen carrying a laptop and using a key card -- possibly connected to the laptop -- to open locked guestroom doors.

Onity did not immediately return an e-mail seeking comment about the issue. But in a statement updated for December on its website, Onity says that as of Nov. 30, it has shipped hardware to fix 1.4 million hotel door locks. The hardware includes mechanical caps and security screws that "block physical access to the lock ports that hackers use to illegally break into hotel rooms."

"Immediately following a hacker's public presentation of illegal methods of breaking into hotel rooms, Onity engineers developed both mechanical and technical solutions, which have been tested and validated by two independent security firms," lock maker Onity's statement says. "These solutions began shipping to customers worldwide in August 2012."

Onity says that over "the next several weeks," it would "ensure all hotel properties in our databases receive the mechanical solution." Hotels must then install the new hardware.

Travelers told to take precautions

Meanwhile, travelers who are staying in hotels with Onity locks that have not yet been secured hang in the lurch, says hospitality lawyer Stephen Barth, who's been tracking the saga.

To comply with its "duty of care" responsibility, a hotel in this situation should disclose the fact to customers and encourage them to take secondary measures, such as using the in-room safe and applying their door's safety latch, says Barth, president of HospitalityLawyer.com. He also says travelers should first check those safety latches to make sure they are in good working condition.

"The issue here is that hotels that have Onity lock systems are aware of this flaw, so do they have a duty to warn their guests?," he says. "Most hotels so far have taken the position that they're not going to tell guests but encourage them to be sure to use the security bar."

Telling a guest that their hotel room door may be vulnerable to a break-in could hurt business, but if a customer falls victim to the scenario, the hotel could be liable in court, he says.

Behind the scenes, hotels in this situation should beef up security, do more sweeps of their property and increase coverage with closed-circuit television systems, he says.

At this point, there has been no report of a criminal hacking open a guestroom door while the guest is inside, he says.

As for Hyatt, the publicly held hotel operator issued a statement saying that "every Hyatt hotel has in place a range of tailored security measures and protocols to make each hotel as safe as possible." The company is working with Onity, the owners and the industry to ensure that there's "a comprehensive solution in place."

The statement adds that as soon as Hyatt became aware of the situation in late July, the hotels with the affected Onity locks "implemented various security measures to help mitigate the potential vulnerability."

You will automatically receive the TheDailyJournal.com Top 5 daily email newsletter. If you don't want to receive this newsletter, you can change your newsletter selections in your account preferences.